Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: C:\projectsASF\ofbiz\applications\accounting\build\lib\ofbiz-accounting-test.jar
MD5: 97ae0dd44f26882813ee0bf1df5d788b
SHA1: 10bd41beb6f930349cfe40e4ec1e8c8364ed8830
File Path: C:\projectsASF\ofbiz\applications\accounting\build\lib\ofbiz-accounting.jar
MD5: 3d4ceabd5b7440f45646cb05117da391
SHA1: 6bf39ce8c3be4af910394ca6c19d3c41b573f141
File Path: C:\projectsASF\ofbiz\applications\content\build\lib\ofbiz-content-test.jar
MD5: 934934ca0c48cb41673571672bdd9d7e
SHA1: 6d21e885e548acabeea853e8fe6d925c817583df
File Path: C:\projectsASF\ofbiz\applications\content\build\lib\ofbiz-content.jar
MD5: 34414c26ddb180254df72797207e5f72
SHA1: 68da5a142b7dc1abe577d1e5eafad7ea9eeb4c20
Description: dom4j: the flexible XML framework for Java
File Path: C:\projectsASF\ofbiz\applications\content\lib\dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
Description: Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\applications\content\lib\poi-3.13-20150929.jar
File Path: C:\projectsASF\ofbiz\applications\humanres\build\lib\ofbiz-humanres.jar
MD5: 4e5bc9ef8514f9303745d504b00c4bac
SHA1: 703d05977d094831a4d3644a5b52ecc39151bf9b
File Path: C:\projectsASF\ofbiz\applications\manufacturing\build\lib\ofbiz-manufacturing.jar
MD5: 405cd7d43a21c58964c90d6a499ce8f7
SHA1: 2df6ae6b189b90cc486e2bca19db0221dff1e8d7
File Path: C:\projectsASF\ofbiz\applications\marketing\build\lib\ofbiz-marketing.jar
MD5: 1cb45b36210d5f6f742bbf1ae7d76947
SHA1: d95e9c7bc7d054b67997ac49735b08226c1e58f9
File Path: C:\projectsASF\ofbiz\applications\order\build\lib\ofbiz-order-test.jar
MD5: 118477dada6b8cbc219718783e17d427
SHA1: 5307c97957b4556d894a8b9161de790132b7a45d
File Path: C:\projectsASF\ofbiz\applications\order\build\lib\ofbiz-order.jar
MD5: 56d9195574eef719395c0b786e3b69b3
SHA1: 827007d70c58995a377bbd5cb62fe1dc9d09e3e1
File Path: C:\projectsASF\ofbiz\applications\party\build\lib\ofbiz-party.jar
MD5: 345563e1e0db614ddda4306208bbdcd0
SHA1: edf4d2a3b114672cc5f516d6705178d447834fa3
File Path: C:\projectsASF\ofbiz\applications\product\build\lib\ofbiz-product-test.jar
MD5: f877f559bd9298cb554728f6c8e3a8ff
SHA1: 9b01a54e794d8504a82c614bfd3f3f3ee7ce2d5e
File Path: C:\projectsASF\ofbiz\applications\product\build\lib\ofbiz-product.jar
MD5: 5b82e43e3760c20cfa01486b4016ca25
SHA1: 5c72e3378c711dac2c3fee90cab5c27fb8a6d9dc
Description:
Dozer is a powerful, yet simple Java Bean to Java Bean mapper that recursively copies data from one object to
another
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\applications\product\lib\dozer-4.2.1.jar
Description: A simple java library to allow image watermarking.
File Path: C:\projectsASF\ofbiz\applications\product\lib\watermarker-0.0.4.jar
MD5: 6d975194d3a526e4a2a3739b457b0004
SHA1: 821039419c7dfe4cd165cabdb686cb2b5f2ee535
File Path: C:\projectsASF\ofbiz\applications\securityext\build\lib\ofbiz-securityext-test.jar
MD5: ccc1f5e470a6a3562e367d5cd115492b
SHA1: d030ad12525423bef9ffe7dd7145d2cb914fe917
File Path: C:\projectsASF\ofbiz\applications\securityext\build\lib\ofbiz-securityext.jar
MD5: 86975d5d1d4c26e69830372e3f2f4dac
SHA1: 2646f1ff4506c0a009a691fed1eeae5e722e93f2
File Path: C:\projectsASF\ofbiz\applications\workeffort\build\lib\ofbiz-workeffort.jar
MD5: af7d6e4c76557ac8f70fd05d7e00add5
SHA1: 868345680e32b2b6a90b89f9ef4beca81200a21e
File Path: C:\projectsASF\ofbiz\framework\base\build\lib\ofbiz-base-test.jar
MD5: f373625d05be442140cbd1423ab400e1
SHA1: c5dec2809c626496f215cf3be7d3cd52f0aa8489
File Path: C:\projectsASF\ofbiz\framework\base\build\lib\ofbiz-base.jar
MD5: 58ac2270a29fb984e633a7c40c36f20c
SHA1: 2b18a185442e8b93e8cdb684f3b8ae2d65d12c13
Description: contains the junit and junirreport tasks
File Path: C:\projectsASF\ofbiz\framework\base\lib\ant-1.9.0-ant-junit.jar
MD5: 99a7567e995ab2591d0cd7c3349f02e2
SHA1: cc83eb94ddcef9c12d5ede5feac3f31a3d320e82
File Path: C:\projectsASF\ofbiz\framework\base\lib\ant-1.9.0-ant-launcher.jar
MD5: aa065e042ee374e7d97bcaf814cdcb8c
SHA1: a76484a4e3a893dd0ee018afef34f74df8e4ef6c
File Path: C:\projectsASF\ofbiz\framework\base\lib\ant-1.9.0-ant.jar
MD5: f95c303d8ebed1503e22571f9214acab
SHA1: d667bc2c030a338720bfcf794d2189ea5c663b9e
File Path: C:\projectsASF\ofbiz\framework\base\lib\ant\ant-1.9.0-ant-apache-bsf.jar
MD5: 9c5a516f80f08874ecf08bbb90440e09
SHA1: 996470c20c515b964aff7939d2e3bf0d3f91edc4
Description: A collection of tasks (and at one point maybe types and other tools) for Apache Ant
License:
http://ant-contrib.sourceforge.net/tasks/LICENSE.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\ant\ant-contrib-1.0b3.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\avalon-framework-4.2.0.jar
MD5: a874d1f49b448cbd0d9db84c2dfc54c4
SHA1: 73fdf5af02e1ce681f57ac107d6eeb2f045cbd67
File Path: C:\projectsASF\ofbiz\framework\base\lib\barcode4j-2.1-barcode4j-fop-ext-complete.jar
MD5: b6bebfaeef5985d068a4f9a1f8f52748
SHA1: a3b5ac2aeefd5b210b83d1a1032e110329aa8572
File Path: C:\projectsASF\ofbiz\framework\base\lib\batik-all-1.8.jar
MD5: ef1d830b1259f2a8e9bfd9fc411ddd0e
SHA1: 2e338c231b36d0212f4b3b7b2e8dcf80fa492bdf
File Path: C:\projectsASF\ofbiz\framework\base\lib\bsh-engine-modified.jar
MD5: 3869e80735faec2288b56ce6dc78bf16
SHA1: 9126a75065f5c4d50eb8333f213121e9c1a524b3
File Path: C:\projectsASF\ofbiz\framework\base\lib\clhm-release-1.0-lru.jar
MD5: 5272dc4023b354cdb545af2e38558c2b
SHA1: 8ce2689bdf402eec941bda5ef868173df9dde4de
File Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-beanutils-core-1.8.3.jar
MD5: 944f66e681239c8353e8497920f1e5d3
SHA1: 75812698e5e859f2cb587c622c4cdfcd61676426
Description:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-codec-1.10.jar
Description: The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-collections4-4.1.jar
Description:
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-compress-1.11.jar
Description:
The Apache Commons CSV library provides a simple interface for reading and writing
CSV files of various types.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-csv-1.1.jar
Description: JSP 2.0 Expression Language Interpreter Implementation
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-el-1.0.jar
Description:
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-fileupload-1.3.1.jar
Description:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-io-2.4.jar
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-lang-2.6.jar
Description: Apache Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-logging-1.2.jar
Description:
Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-net-3.3.jar
Description: Apache Commons Object Pooling Library
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-pool2-2.3.jar
Description:
Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
It may be used standalone or with a framework like Struts.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\commons\commons-validator-1.4.1.jar
Description: The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
License:
BSD: http://www.opensource.org/licenses/bsd-license.php Creative Commons 3.0 BY-SA: http://creativecommons.org/licenses/by-sa/3.0/File Path: C:\projectsASF\ofbiz\framework\base\lib\esapi-2.1.0.jar
Description:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\fontbox-1.8.11.jar
Description: Apache FOP (Formatting Objects Processor) is the world's first print formatter driven by XSL formatting objects (XSL-FO) and the world's first output independent formatter. It is a Java application that reads a formatting object (FO) tree and renders the resulting pages to a specified output. Output formats currently supported include PDF, PCL, PS, AFP, TIFF, PNG, SVG, XML (area tree representation), Print, AWT and TXT. The primary output target is PDF.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\fop-2.0.jar
Description:
FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
License:
Apache License, Version 2.0: http://freemarker.org/LICENSE.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\freemarker-2.3.22.jar
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has two code dependencies - javax.annotation
per the JSR-305 spec and javax.inject per the JSR-330 spec.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\guava-14.0.1.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\hamcrest-all-1.2.jar
MD5: 78e505c6f5ceaa0b5b1d9ee4171fd503
SHA1: dd6dbd1fbb67287f29279f1a91ea51791dd796eb
Description:
Apache HttpComponents Client
File Path: C:\projectsASF\ofbiz\framework\base\lib\httpclient-4.4.1.jar
MD5: 38f9399922142fc9538d690dbaae7e2e
SHA1: 016d0bc512222f1253ee6b64d389c84e22f697f0
Description:
Apache HttpComponents Core (blocking I/O)
File Path: C:\projectsASF\ofbiz\framework\base\lib\httpcore-4.4.1.jar
MD5: 27bf6d5323a86a6115b607ce82512d6c
SHA1: f5aa318bda4c6c8d688c9d00b90681dcd82ce636
Description: A Java library for the automatic stimulation and testing of web applications.
License:
MIT License: http://httpunit.sourceforge.net/doc/license.htmlFile Path: C:\projectsASF\ofbiz\framework\base\lib\httpunit-1.7.jar
Description:
A Java library for reading and writing iCalendar (*.ics) files
License:
iCal4j - License: LICENSEFile Path: C:\projectsASF\ofbiz\framework\base\lib\ical4j-1.0-rc2.jar
Description:
International Component for Unicode for Java (ICU4J) is a mature, widely used Java library
providing Unicode and Globalization support
License:
ICU License: http://source.icu-project.org/repos/icu/icu/trunk/LICENSEFile Path: C:\projectsASF\ofbiz\framework\base\lib\icu4j-57_1.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\ivy-2.2.0.jar
MD5: 2703395cb677b36bbe04f0e868a10d2b
SHA1: f9d1e83e82fc085093510f7d2e77d81d52bc2081
Description: Annotations Package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\annotations-api-3.0.jar
Description: Expression language package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\el-api-3.0.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\geronimo-activation_1.0.2_spec-1.0.jar
MD5: a2ef03bac800790452eb400259ac10e1
SHA1: 6dc4b0c7d3358ae4752cf9cc0f97f98358ea7656
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\geronimo-j2ee-connector_1.5_spec-2.0.0.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\geronimo-jaxr_1.0_spec-1.0.jar
MD5: b75db39f775cfafb56eba304745d85ab
SHA1: f6a3b80feb6badbe12c21c8a51ede7fcd6e91e5f
File Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\geronimo-jaxrpc_1.1_spec-1.0.jar
MD5: 552a184c114db85a36a361c6e5349385
SHA1: c581838de2339f61f1965db0ff912ff2ac1c4b30
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\geronimo-jms_1.1_spec-1.1.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\geronimo-jta_1.1_spec-1.1.1.jar
Description: SOAP AA for Java 1.3
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\geronimo-saaj_1.3_spec-1.1.jar
Description: JSP package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\jsp-api-2.3.jar
Description: javax.servlet package
License:
Apache License, Version 2.0 and
Common Development And Distribution License (CDDL) Version 1.0
:
http://www.apache.org/licenses/LICENSE-2.0.txt and
http://www.opensource.org/licenses/cddl1.txt
File Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\servlet-api-3.1.jarDescription: Core annotations used for value types, used by Jackson data binding package.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\jackson-annotations-2.4.0.jar
Description: Core Jackson abstractions, basic JSON streaming API implementation
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\jackson-core-2.4.2.jar
Description: General data-binding functionality for Jackson: works on core streaming API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\jackson-databind-2.4.2.jar
Description: Javolution - Java Solution for Real-Time and Embedded Systems.
This project uses template classes to generates java code for various versions
of the Java run-time (e.g. J2ME, 1.4, GCJ, 1.5). The default maven compilation
builds executable for Java 1.5+ (parameterized classes).
For others targets the ant script should be used directly (e.g. "ant j2me").
License:
BSD License: http://javolution.org/LICENSE.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\javolution-5.4.3.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\jce-jdk13-154.jar
MD5: 41647ae4bcc4cef7d482d7c090e56fc8
SHA1: e8141481ce40d7dac959fd8e617a6ac00969bcb8
License:
JDBM License, version 1.0File Path: C:\projectsASF\ofbiz\framework\base\lib\jdbm-1.0-SNAPSHOT.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\jdom-1.1.jar
MD5: 143607f5af669492a0fcd66f9320bc18
SHA1: a97065a0b64844ded9a3325b06ad3dd2f6e40d1f
Description:
The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
specification. JempBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\jempbox-1.8.11.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\jpim-0.1.jar
MD5: 9ccce9e981b12b170b66c8842051d594
SHA1: 1578fb9d533748beba2402991e04522e6ed87fbe
File Path: C:\projectsASF\ofbiz\framework\base\lib\juel-impl-2.2.7.jar
MD5: c5d7a62edafb5706b6beadbbcfd8f57d
SHA1: 97958467acef4c2b230b72354a4eefc66628dd99
File Path: C:\projectsASF\ofbiz\framework\base\lib\juel-spi-2.2.7.jar
MD5: a4df3c8482a97ae937081b7d0ab407bb
SHA1: ca146332a93720784f24a5a24bb71c6d545133bd
File Path: C:\projectsASF\ofbiz\framework\base\lib\junit-dep-4.10.jar
MD5: c77e5567de786e6b8bced4f85c6e9595
SHA1: dd147c1691bd9b07550ddcf1221137e02c4d1a37
Description: The Apache Log4j 1.x Compatibility API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\log4j-1.2-api-2.3.jar
Description: The Apache Log4j API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\log4j-api-2.3.jar
Description: The Apache Log4j Implementation
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\log4j-core-2.3.jar
Description: The Apache Log4j NoSQL appenders to databases such as MongoDB and CouchDB
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\log4j-nosql-2.3.jar
Description: The Apache Log4j SLF4J API binding to Log4j 2 Core
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\log4j-slf4j-impl-2.3.jar
Description: JavaMail API
License:
https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\projectsASF\ofbiz\framework\base\lib\mail-1.5.1.jar
Description: An HTML parser and tag balancer.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\nekohtml-1.9.16.jar
Description:
A fast and easy to configure HTML Sanitizer written in Java which
lets you include HTML authored by third-parties in your web
application while protecting against XSS.
License:
New BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: C:\projectsASF\ofbiz\framework\base\lib\owasp-java-html-sanitizer-r239.jar
Description:
The Apache PDFBox library is an open source Java tool for working with PDF documents.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\pdfbox-1.8.11.jar
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier.
File Path: C:\projectsASF\ofbiz\framework\base\lib\resolver-2.9.1.jar
MD5: 706c533146c1f4ee46b66659ea14583a
SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c
File Path: C:\projectsASF\ofbiz\framework\base\lib\scripting\antlr-2.7.6.jar
MD5: 97c6bb68108a3d68094eab0f67157962
SHA1: cf4f67dae5df4f9932ae7810f4548ef3e14dd35e
File Path: C:\projectsASF\ofbiz\framework\base\lib\scripting\asm-3.2.jar
MD5: 3bbbf05e5f03f6b2ca4cf3073bd2e1b8
SHA1: b441856c33ad0455324132ab32038bd59414bd05
File Path: C:\projectsASF\ofbiz\framework\base\lib\scripting\bsf-2.4.0.jar
MD5: 162ed0b06486f75f07a7c8904bcea02a
SHA1: bcc312a71d062fbc7e2d5e2800356043acf39a03
File Path: C:\projectsASF\ofbiz\framework\base\lib\scripting\bsh-2.0b4.jar
MD5: 51f9eadb789ac715e2e5399c7c71190a
SHA1: b6328ee47a52d749dbf5fb85a4b52327dae2a770
Description: Groovy: A powerful, dynamic language for the JVM
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\scripting\groovy-all-2.4.5.jar
File Path: C:\projectsASF\ofbiz\framework\base\lib\scripting\jakarta-oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
File Path: C:\projectsASF\ofbiz\framework\base\lib\scripting\jython-nooro.jar
MD5: 3c7d5b18c15ce75a8b7409f614302822
SHA1: 19890d914d22812aa3789cf98d3d506d74eda38d
File Path: C:\projectsASF\ofbiz\framework\base\lib\serializer-2.9.1.jar
MD5: f0fa654c1ea1186e9a5bd56e48e0d4a3
SHA1: c8e1f1e7bf871280375b392776340e5822126e6a
Description: Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\shiro-core-1.2.3.jar
Description: The slf4j API
File Path: C:\projectsASF\ofbiz\framework\base\lib\slf4j-api-1.6.4.jar
MD5: a134d83e0c12a9611824284c855ffb13
SHA1: bff73780230e6559b63134bbc2056c312eabb849
Description: This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
includes the core facades for the Tika API.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\tika-core-1.12.jar
Description: Apache Tika is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\tika-parsers-1.12.jar
Description: This is a small collection of classes, which are part of the Java 5 Core. In other words, you do not need this library, if you are running Java 5, or later. The Java 5 classes are used by projects like Apache JaxMe, Apache XML-RPC, or the the ws-common-utils.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\ws-commons-java5-1.0.1.jar
Description:
This is a small collection of utility classes, that allow high performance XML
processing based on SAX. Basically, it is assumed, that you are using an JAXP
1.1 compliant XML parser and nothing else. In particular, no dependency on the
javax.xml.transform package is introduced.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\ws-commons-util-1.0.2.jar
Description:
Xalan-Java is an XSLT processor for transforming XML documents into HTML,
text, or other XML document types. It implements XSL Transformations (XSLT)
Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
the command line, in an applet or a servlet, or as a module in other program.
File Path: C:\projectsASF\ofbiz\framework\base\lib\xalan-2.7.2.jar
MD5: 6aa6607802502c8016b676f25f8e4873
SHA1: d55d3f02a56ec4c25695fe67e1334ff8c2ecea23
Description:
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\xercesImpl-2.11.0.jar
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt The SAX License: http://www.saxproject.org/copying.html The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zipFile Path: C:\projectsASF\ofbiz\framework\base\lib\xml-apis-1.4.01.jar
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
File Path: C:\projectsASF\ofbiz\framework\base\lib\xml-apis-ext-1.3.04.jar
MD5: bcb07d3b8d2397db7a3013b6465d347b
SHA1: 41a8b86b358e87f3f13cf46069721719105aff66
File Path: C:\projectsASF\ofbiz\framework\base\lib\xmlgraphics-commons-2.0.1.jar
MD5: fcd771d4b8588acd9d96995223a80a30
SHA1: ce7d47367cc6754eb2fcc337b40c899956d33446
File Path: C:\projectsASF\ofbiz\framework\base\lib\xmlrpc-client-3.1.2.jar
MD5: b2da22fd59a0a6c8cf412f6f50d9880c
SHA1: ca8c57a1c4abc23b75b15ad636b4d20274f021c2
File Path: C:\projectsASF\ofbiz\framework\base\lib\xmlrpc-common-3.1.2.jar
MD5: 4037cace113e54ff20222a43cdc4b65d
SHA1: a8b0084839aee2f48113b3dc2517b8022a5fbc0f
File Path: C:\projectsASF\ofbiz\framework\base\lib\xmlrpc-server-3.1.2.jar
MD5: 04e884ead785a63e4ff8bc98f1f961f7
SHA1: 7e5123995d009129af3dfc663d2ec91c6541bf98
Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt Public Domain: http://creativecommons.org/licenses/publicdomain Apache Software License, version 1.1: http://www.apache.org/licenses/LICENSE-1.1File Path: C:\projectsASF\ofbiz\framework\base\lib\xpp3-1.1.4c.jar
Description: XStream is a serialization library from Java objects to XML and back.
License:
http://x-stream.github.io/license.htmlFile Path: C:\projectsASF\ofbiz\framework\base\lib\xstream-1.4.9.jar
Description: Core barcode encoding/decoding library
File Path: C:\projectsASF\ofbiz\framework\base\lib\zxing-core-3.2.0.jar
MD5: d4100056fbaecca7cfa46507bc5c1e20
SHA1: e019d15a13a9786f881141d2df6654b8510bce8b
File Path: C:\projectsASF\ofbiz\framework\catalina\build\lib\ofbiz-catalina.jar
MD5: 99031f78d135af0fe4fef4920c05c828
SHA1: 0f8796576e81b6a935e93a760f339074d8f8b780
Description: Eclipse JDT Core Batch Compiler
License:
Eclipse Public License v1.0: http://www.eclipse.org/org/documents/epl-v10.phpFile Path: C:\projectsASF\ofbiz\framework\catalina\lib\ecj-4.5.jar
Description: Tomcats JSP Parser
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\catalina\lib\tomcat-8.0.33-jasper.jar
File Path: C:\projectsASF\ofbiz\framework\common\build\lib\ofbiz-common-test.jar
MD5: a894f4382784414e47eaed2a5bcdb57e
SHA1: 82d59c122348949a35cdba57defb1f4b988ea5ae
File Path: C:\projectsASF\ofbiz\framework\common\build\lib\ofbiz-common.jar
MD5: 2d5880ecd01929a1eb0522f86e004241
SHA1: 761d337aab82b072fbf037f2f79450ef8605abd4
File Path: C:\projectsASF\ofbiz\framework\datafile\build\lib\ofbiz-datafile.jar
MD5: 1f52592a4fb5e3798b9647e92d4ae446
SHA1: 82993d48d075172dafa99421a0528f78c0d8b44c
File Path: C:\projectsASF\ofbiz\framework\entity\build\lib\ofbiz-entity-test.jar
MD5: 057de67acbca410a2074f8c6bb693e15
SHA1: 0358a8a7dc6daec307c0bd8c9034caffdc572900
File Path: C:\projectsASF\ofbiz\framework\entity\build\lib\ofbiz-entity.jar
MD5: d58da174b6d36646661156f6dd284265
SHA1: f4587179b60d0efc53b0b4bf090ea6b36b0824ec
Description: Apache Commons DBCP software implements Database Connection Pooling
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\entity\lib\commons-dbcp2-2.1.jar
Description: Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
File Path: C:\projectsASF\ofbiz\framework\entity\lib\jdbc\derby-10.11.1.1.jar
MD5: afe613d20dabc4eae9b025375adb7e84
SHA1: df4b50061e8e4c348ce243b921f53ee63ba9bbe1
File Path: C:\projectsASF\ofbiz\framework\entityext\build\lib\ofbiz-entityext.jar
MD5: 96b68cec44a2b41a21d71c3821c6fc43
SHA1: 4f31d5184081cee01b3371e0311882a0e4f65c2e
File Path: C:\projectsASF\ofbiz\framework\geronimo\build\lib\ofbiz-geronimo.jar
MD5: e44e8ba926d4190b527242905d708a4a
SHA1: 64db6c9130db09533eed1bc44088c75d53b976b2
Description: Apache Geronimo Transaction Manager
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\geronimo\lib\geronimo-transaction-3.1.1.jar
File Path: C:\projectsASF\ofbiz\framework\images\webapp\images\jquery\plugins\validate\package.json
MD5: 0d0dce7715fe4184364a6f0c10add6f1
SHA1: cfe99f497ed35573d7dfc291068d742399a0eee0
File Path: C:\projectsASF\ofbiz\framework\minilang\build\lib\ofbiz-minilang-test.jar
MD5: f4787c509afeceba6b1f54910fea9026
SHA1: d51ded3d6e9e1f35b1c37bd4ff4e9213571e377c
File Path: C:\projectsASF\ofbiz\framework\minilang\build\lib\ofbiz-minilang.jar
MD5: 6081ee578f70e5f1ace1cbef48ac887b
SHA1: 8b7979fec6086f35162d3b89a58da56646f93acc
File Path: C:\projectsASF\ofbiz\framework\security\build\lib\ofbiz-security.jar
MD5: 9fc4b551748c1ee176c2c350063c572d
SHA1: d5605038ce051479b5a8b254666c161e58ebb628
File Path: C:\projectsASF\ofbiz\framework\service\build\lib\ofbiz-service-test.jar
MD5: 4acc414588b0cca345573445dc7503d1
SHA1: 08d3a10daf5edc6054104698db763b75d852a844
File Path: C:\projectsASF\ofbiz\framework\service\build\lib\ofbiz-service.jar
MD5: 6fab0204b3662c2c721090f0eebae01a
SHA1: d15bb10b3eed32638bbc954ab49719a33cc8a055
File Path: C:\projectsASF\ofbiz\framework\service\build\rmi\ofbiz-service-rmi.jar
MD5: 5bfef8f8180400f2a4d3e0727d8167a0
SHA1: 731f07f4c151a9b7626b58e757befafa7672fba2
Description: The Axiom API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\service\lib\axiom-api-1.2.17.jar
Description: The default implementation of the Axiom API.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\service\lib\axiom-impl-1.2.17.jar
File Path: C:\projectsASF\ofbiz\framework\service\lib\axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/core-aspects/pom.xml
MD5: 578ca70e0a265fd5b1515eea14e67efb
SHA1: 42e8d4b4f2f941ab0b50240e6b096a1151221003
Description: Contains aspects and implementation classes shared by LLOM and DOOM.
File Path: C:\projectsASF\ofbiz\framework\service\lib\axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/om-aspects/pom.xml
MD5: be5411f23abad2369eb94ad64622bb54
SHA1: 2e08c15bd701460f07711311fad5785ecf7ad861
Description:
Contains mixins for methods that are shared between DOM and Axiom.
File Path: C:\projectsASF\ofbiz\framework\service\lib\axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/shared-aspects/pom.xml
MD5: ea8a4489f8026ca7b879fae7de636afd
SHA1: bbe62a1404feb5cc8f9a7babbd7a12d50479144b
File Path: C:\projectsASF\ofbiz\framework\service\lib\axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/xml-utils/pom.xml
MD5: 76d0bf22e109300e6a67875c5781f659
SHA1: dac902cf3a5280076d8a92fc9a421fe15e23a1e6
Description: Core Parts of Axis2. This includes Axis2 engine, Client API, Addressing support, etc.,
File Path: C:\projectsASF\ofbiz\framework\service\lib\axis2-kernel-1.7.1.jar
MD5: f3b93056eebaf4c7f71c84def4f486e9
SHA1: b60e8f9dfc753a9d3aff02dbaee58a560afffbc3
Severity:
Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Description: Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\service\lib\neethi-3.0.3.jar
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\service\lib\woden-core-1.0M10.jar
Description: Java stub generator for WSDL
License:
CPL: http://www.opensource.org/licenses/cpl1.0.txtFile Path: C:\projectsASF\ofbiz\framework\service\lib\wsdl4j-1.6.2.jar
Description: Commons XMLSchema is a light weight schema object model that can be used to manipulate or
generate XML schema.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\service\lib\xmlschema-core-2.2.1.jar
File Path: C:\projectsASF\ofbiz\framework\testtools\build\lib\ofbiz-testtools.jar
MD5: c6d7ef3185f0ecfc05b3ce6366040dc6
SHA1: 44bb3db9b1d8a806105280dd00961f48001c4d1a
Description: Spring Core
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\testtools\lib\spring-core-4.2.3.jar
Description: Spring TestContext Framework
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\testtools\lib\spring-test-4.2.3.jar
File Path: C:\projectsASF\ofbiz\framework\webapp\build\lib\ofbiz-webapp-test.jar
MD5: 9eaa0eaf50dda68957f24a8a808c4e1a
SHA1: 09e645b5ea44aba2a3a25a4208f743e34c7f0685
File Path: C:\projectsASF\ofbiz\framework\webapp\build\lib\ofbiz-webapp.jar
MD5: 339043448d512fc4446f68b724905b5c
SHA1: b156d534de90c37054f47746d0875564bf1a0259
Description:
Simple java library for transforming an Object to another Object.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\webapp\lib\ezmorph-0.9.1.jar
Description: iText, a free Java-PDF library
License:
Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.htmlFile Path: C:\projectsASF\ofbiz\framework\webapp\lib\iText-2.1.7.jar
Description: All Roads Lead to ROME.
ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats.
Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0) and Atom 0.3 feeds.
Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another.
The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\webapp\lib\rome-0.9.jar
File Path: C:\projectsASF\ofbiz\framework\webtools\build\lib\ofbiz-webtools.jar
MD5: 0942f8141c6a16a174f053b267f0c855
SHA1: 00b73cc5f6e2da51bbf5fe91ca8924e0d795f7cc
File Path: C:\projectsASF\ofbiz\framework\widget\build\lib\ofbiz-widget-test.jar
MD5: e7cd58bb9ec3abfb54b2a26d3f2d01ad
SHA1: 2d664a10fcaf8f6936e0a1982446a4abb22c6a93
File Path: C:\projectsASF\ofbiz\framework\widget\build\lib\ofbiz-widget.jar
MD5: 1a6d30576c6e6cd3683f6d5845e69bb7
SHA1: 2aa728463b9a9f73031f4a6c011703265733575c
File Path: C:\projectsASF\ofbiz\ofbiz.jar
MD5: 2fc32c948cabccb989ac6468b32ad512
SHA1: 2de7c549bd4030259432463e1526fa705f81f109
File Path: C:\projectsASF\ofbiz\specialpurpose\assetmaint\build\lib\ofbiz-assetmaint.jar
MD5: 7c7e080627bb0574da4304b48c1e8ad4
SHA1: dec698b777d7525b7479afeef432d62d3a6e9ae7
File Path: C:\projectsASF\ofbiz\specialpurpose\bi\build\lib\ofbiz-bi.jar
MD5: af726ab280c4e20edd2d3f62880fdc71
SHA1: c90510eb2bbb48c89d6c2fc7ca2282cebff5839e
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\build\lib\ofbiz-birt.jar
MD5: 0356c866f499a6f5795e9363199a3c36
SHA1: 3ca6a9f06388379667f20103601b50c431e6d8d6
Description:
An implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\axis-1.4.jar
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: The Apache Commons Discovery component is about discovering, or finding,
implementations for pluggable interfaces.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\commons-discovery-0.5.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\flute.jar
MD5: 2f2e13cd3523c545dd1c4617b373692c
SHA1: b7d59dc172005598b55699b1a75605b13c14f1fd
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\jaxrpc.jar
MD5: b4592e5eccfeeeae87cfadef0ca66c66
SHA1: b393f1f0c0d95b68c86d0b1ab2e687bb71f3c075
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\js.jar
MD5: 7cf98eb22ced3addc0aab7dcee06a4dc
SHA1: 5238d0e52ae97197f2b5ea9e94ebb2b864d61998
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.apache.xml.resolver_1.2.0.v201005080400.jar
MD5: 621d67a8ed1ef1e70dca898e1126ee24
SHA1: 8cb0def7637e396858ce04fa42313bf53b7b6cc0
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.apache.xml.serializer_2.7.1.v201005080400.jar
MD5: 95b3f276cfed8c356b9187d2f55b02e5
SHA1: 6e093377c624aaff339e1d238ceaadd689d6e3cc
Description:
The codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.birt.runtime_4.3.1.v20130918-1142.jar
MD5: ef13cf157ffa3e213319c7d59be164cd
SHA1: 1091f92e050045c0c807f0d708cbd8c7dd4a6153
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.core.contenttype_3.4.200.v20130326-1255.jar
MD5: 53dc9380a18ddf9d5c020dbd4a29ae77
SHA1: a08e1073e27f8d80ac7ada3e1415d93875e598b5
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.core.expressions_3.4.500.v20130515-1343.jar
MD5: b1bcbed13ad26260b1118cadfa4eea23
SHA1: b4723fbe6e32b5ddf42256814fc280d9390f356c
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.core.filesystem_1.4.0.v20130514-1240.jar
MD5: d5999101500966fbf810766745aaaa6f
SHA1: bc9dc0d14e6de65feb7906de9e274e2682c53b33
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.core.jobs_3.5.300.v20130429-1813.jar
MD5: 89da18399b40095b0cb75fe41eb59fb1
SHA1: ef5f3f4141221dd6e9da061eca41e4a939628098
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.core.resources_3.8.101.v20130717-0806.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.core.resources_3.8.101.v20130717-0806.jar\ant_tasks\resources-ant.jar
MD5: 557b0f899da0fa041f3b023c2149f88d
SHA1: 28f94a7a7c20b25c522a68c061eee4f0aec44321
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.core.runtime_3.9.0.v20130326-1255.jar
MD5: 9476e6aeeb085f23957439aaa905bfa9
SHA1: 106e19b16b912c27d5b55cfff66623fa2bf7c923
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.datatools.connectivity.oda_3.4.1.v201308160907.jar
Description: http://www.eclipse.org
License:
The Eclipse Public License Version 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.emf.common_2.9.1.v20130827-0309.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.emf.ecore.change_2.9.0.v20130827-0309.jar
Description: http://www.eclipse.org
License:
The Eclipse Public License Version 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.emf.ecore.xmi_2.9.1.v20130827-0309.jar
Description: http://www.eclipse.org
License:
The Eclipse Public License Version 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.emf.ecore_2.9.1.v20130827-0309.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.emf_2.6.0.v20130902-0605.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.equinox.app_1.3.100.v20130327-1442.jar
MD5: 15fb9829bcaf5e27e3326c338086b4ef
SHA1: 487677af4bf0fb19d5add5b33badcaa532825528
Description: Common Eclipse Runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.equinox.preferences_3.5.100.v20130422-1538.jar
MD5: 48ce4d516094a03be9e1ee3b6e79cf81
SHA1: 205ced53d19fc2e97c4750d875761226ae91ae5c
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.equinox.registry_3.5.301.v20130717-1549.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.osgi.services_3.3.100.v20130513-1956.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.osgi_3.9.1.v20130814-1242.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.eclipse.update.configurator_3.3.200.v20130326-1319.jar
MD5: c429b9e8f596e6704b35aee5fad48ec0
SHA1: 0f5bdbb0c2e81e244a456f39b64a22a2b8d7dfc7
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.w3c.css.sac_1.3.0.v200805290154.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.w3c.dom.smil_1.0.0.v200806040011.jar
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\org.w3c.dom.svg_1.1.0.v201011041433.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\saaj.jar
MD5: 87b30c8124683bbd11f9ff2bcaaafbf8
SHA1: 581149d1f391258754354f2acf2b56665d53de2e
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: A component of the BIRT runtime
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/org/documents/epl-v10.htmlFile Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\Tidy.jar
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
File Path: C:\projectsASF\ofbiz\specialpurpose\birt\lib\viewservlets.jar
MD5: fc687e5b5fd43c0d734ccda6f2019628
SHA1: 2aa00f438b3137241d5800d625ec0a45e93a032f
Severity:
Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in birt-viewer/run in Eclipse Business Intelligence and Reporting Tools (BIRT) before 2.5.0, as used in KonaKart and other products, allows remote attackers to inject arbitrary web script or HTML via the __report parameter.
Vulnerable Software & Versions:
Description: Additional Analyzers
File Path: C:\projectsASF\ofbiz\specialpurpose\cmssite\template\docbook\extensions\lucene-analyzers-3.0.0.jar
MD5: 5ec67da613aad8d0bb5f7b5ee8c56280
SHA1: 4fd1f6f06acac4274db213f42e688b7fdfe49704
Description: Apache Lucene Java Core
File Path: C:\projectsASF\ofbiz\specialpurpose\cmssite\template\docbook\extensions\lucene-core-3.0.0.jar
MD5: e80e6dc76e8c1adb2e3611d9566d88f2
SHA1: 7c2d82c700746f84d60640507f26444f119e0423
File Path: C:\projectsASF\ofbiz\specialpurpose\cmssite\template\docbook\extensions\saxon65.jar
MD5: 349902770ef341913696f6420be0e382
SHA1: b11dc911ba244e0d21431baf0d08ca56ffc85868
Description: TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
License:
Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\cmssite\template\docbook\extensions\tagsoup-1.2.1.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\cmssite\template\docbook\extensions\webhelpindexer.jar
MD5: 89fe1e6847bb3563904274b07e5841b1
SHA1: 52f4f1d0a9cf881744a4b9decfd77cfcaef947db
File Path: C:\projectsASF\ofbiz\specialpurpose\ebay\build\lib\ofbiz-ebay.jar
MD5: 52b1d41cc2030c4f371f608ac925ab61
SHA1: c209458c0c2cfc436b605208af53372b14f3bf8b
File Path: C:\projectsASF\ofbiz\specialpurpose\ebaystore\build\lib\ofbiz-ebaystore.jar
MD5: b6845587518999c43e98684668c051c7
SHA1: aa8d4a596d3a24aed839894b8dfa8e5f256eaddd
File Path: C:\projectsASF\ofbiz\specialpurpose\ebaystore\lib\attributes.jar
MD5: 24b2f52703c59c3351bbfa8f9550b487
SHA1: 2e84619ab99944d29e3a50344b080de699667a00
File Path: C:\projectsASF\ofbiz\specialpurpose\ebaystore\lib\ebaycalls.jar
MD5: 93de17ad5e92b3f680c78b39c50a4ef2
SHA1: 0d7ab705251e1b24840251582c025a708f6da3b8
File Path: C:\projectsASF\ofbiz\specialpurpose\ebaystore\lib\ebaysdkcore.jar
MD5: e28ea2cc1404c7e0ad528ce6957dd3de
SHA1: a777bd059b968c80589bedbed75cd9a56882d849
File Path: C:\projectsASF\ofbiz\specialpurpose\ebaystore\lib\helper.jar
MD5: 08c154a5118da81e284be182ce42ed0c
SHA1: 03314c1b97a14640093cd8973093adeb2b8beaca
File Path: C:\projectsASF\ofbiz\specialpurpose\ecommerce\build\lib\ofbiz-ecommerce.jar
MD5: 77684a1bab0f785cb4e5101b0251296f
SHA1: e4dfcc0c3efa1735fb4268c623d43a95795cc180
File Path: C:\projectsASF\ofbiz\specialpurpose\example\build\lib\ofbiz-example.jar
MD5: 754bc218b95d9c86dc736bc89e825d22
SHA1: 2c666fe093ba346bc2159475604a5183abd41f27
File Path: C:\projectsASF\ofbiz\specialpurpose\googlebase\build\lib\ofbiz-googlebase.jar
MD5: 8f640789bffa91f5eb948a96b75ed71b
SHA1: 083396073a5344729d5da9192e842e952d863b84
File Path: C:\projectsASF\ofbiz\specialpurpose\googlecheckout\build\lib\ofbiz-googlecheckout.jar
MD5: e4396fc6bec2074f2fb3a943341f0f6d
SHA1: c07f49c546fadce27e21a44d66b57db0f9a225c5
File Path: C:\projectsASF\ofbiz\specialpurpose\googlecheckout\lib\checkout-sdk-0.8.8.jar
MD5: 67050cd1176f674a6630e7fd12f63e26
SHA1: eeb75a7d517da08acf62fa249b45112a9259cb44
File Path: C:\projectsASF\ofbiz\specialpurpose\hhfacility\build\lib\ofbiz-hhfacility.jar
MD5: 278f760ea5d494e9202f245e2995b28f
SHA1: 4ce4c947384fa1d2bf4473079f67b0234ab84a7d
File Path: C:\projectsASF\ofbiz\specialpurpose\ldap\build\lib\ofbiz-ldap.jar
MD5: 92a9585cf0bd70274167a2b873770a8e
SHA1: 9490201f2d516257bcba3e7cbfc754e5d00486b5
Description: CAS core
File Path: C:\projectsASF\ofbiz\specialpurpose\ldap\lib\cas-server-core-3.3.jar
MD5: e3a8576e71cc9f2795883d04ecd3ccb3
SHA1: 213300c6618937c9aad0bb8d18d16ae3c916a93e
File Path: C:\projectsASF\ofbiz\specialpurpose\lucene\build\lib\lucene-test.jar
MD5: e3d7607ccf45a908f467cf166061c5ce
SHA1: 39ad1bf2a4c85f727bb512ebbe8f84617bc7097b
File Path: C:\projectsASF\ofbiz\specialpurpose\lucene\build\lib\lucene.jar
MD5: b5c0a22ebe36c78e1fd10f08c9633d87
SHA1: 0392c680bf008f2efc06a392b72863a14e5aca59
Description: Additional Analyzers
File Path: C:\projectsASF\ofbiz\specialpurpose\lucene\lib\lucene-analyzers-common-5.3.1.jar
MD5: 8c29e03ee7acf85716501e91a15321be
SHA1: bd804dbc1b8f7941018926e940d20d1016b36c4c
Description: Apache Lucene Java Core
File Path: C:\projectsASF\ofbiz\specialpurpose\lucene\lib\lucene-core-5.3.1.jar
MD5: c485f41387fceb3ee1df4c527aff9829
SHA1: 36860653d7e09790ada96aeb1970b4ca396ac5d7
Description: Lucene QueryParsers module
File Path: C:\projectsASF\ofbiz\specialpurpose\lucene\lib\lucene-queryparser-5.3.1.jar
MD5: e732b911e970ff66b9821df604a4f005
SHA1: bef0e2ac5b196dbab9d0b7c8cc8196b7ef5dd056
File Path: C:\projectsASF\ofbiz\specialpurpose\oagis\build\lib\ofbiz-oagis.jar
MD5: c1e6bcc7108f1c63ec09535843cfcea1
SHA1: 12583c55664da3b3d5120a8a4b2a1bcbcd378696
File Path: C:\projectsASF\ofbiz\specialpurpose\passport\build\lib\ofbiz-passport.jar
MD5: d4c08b3fd0e27e768b4407939a966664
SHA1: fd6170987c9ed2faf412b31ccf1282ff9f9b8fa3
File Path: C:\projectsASF\ofbiz\specialpurpose\pos\build\lib\ofbiz-pos.jar
MD5: fb6261a751cc797a1faca0ee00986486
SHA1: 74aa8182f1a354b14e0851dd90c2969715a394fb
File Path: C:\projectsASF\ofbiz\specialpurpose\pos\lib\jcl.jar
MD5: 1f270823e42357c5002cb38c759a2a5a
SHA1: ea0ec582a3b7d585dc2ec3efad25480fba26ba8a
File Path: C:\projectsASF\ofbiz\specialpurpose\pos\lib\jpos18-controls.jar
MD5: 39acaf522f5872e175b7f1b47d461371
SHA1: 47a4cf80361f065d16ac6d88373aba21eb1af47d
File Path: C:\projectsASF\ofbiz\specialpurpose\pos\lib\looks-2.0.2.jar
MD5: 4d375614b765163cb447edcdfa6ade7e
SHA1: 4970f4be588597ab900bc4c557395e342932604b
File Path: C:\projectsASF\ofbiz\specialpurpose\pos\lib\XuiCoreSwing-v3.2rc2b.jar
MD5: ee57fc7028c280efb250f20980075220
SHA1: 88f202752cd7e675e7c04c06b677a97648b1ca5e
File Path: C:\projectsASF\ofbiz\specialpurpose\pos\lib\XuiOptional-v3.2rc2b.jar
MD5: 16dacf0d6d5d947c431789635234b780
SHA1: 3752a979846a7d19e1c894fe5d550b0309dbd139
File Path: C:\projectsASF\ofbiz\specialpurpose\projectmgr\build\lib\ofbiz-projectmgr.jar
MD5: 69f3f98901fab9cdb865886da6118c50
SHA1: 31ec3a22654d27ec367725a0ee262c656fa1b9e7
File Path: C:\projectsASF\ofbiz\specialpurpose\scrum\build\lib\ofbiz-scrum.jar
MD5: 0a718e1cc4731c734e149ca29b5cfdb8
SHA1: a7a62d681c04917117ff337836af40de6471d161
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\build\lib\ofbiz-solr.jar
MD5: 52287bed94c8a589a468a0bb270c9282
SHA1: 51a26f7de8735cf52527c751cea6bbd62d601fa0
Description: Apache Solr Core
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\compile\solr-core-5.3.1.jar
MD5: cff1dd172bebe55b046016c6ca2a59cd
SHA1: dacde184d486749c79f1cfcce456bae721ae6437
Description:
Apache HttpComponents HttpClient - MIME coded entities
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\httpmime-4.4.1.jar
MD5: 678b75d71032e823480a41123b6b3ce2
SHA1: 2f8757f5ac5e38f46c794e5229d1f3c522e9b1df
Description: Date and time library to replace JDK date handling
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\joda-time-2.2.jar
Description:
Codecs and postings formats for Apache Lucene.
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\lucene-codecs-5.3.1.jar
MD5: e7a51a4509ad2837c401fc83fd5645f7
SHA1: 5ce45a220258f1d92d8fcdba4dbbb43e4f035835
Description:
This is the highlighter for apache lucene java
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\lucene-highlighter-5.3.1.jar
MD5: 397a6f8aed3b8af8fbc4ea361764aaa6
SHA1: dd655be794feb9c42981b5c01b9f7f38e8b7f39e
Description: Lucene Join Module
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\lucene-join-5.3.1.jar
MD5: 884410c82522134d1b218b53032c8e60
SHA1: 88f828205c9dfb328c3e0f600010665e1934e495
Description: Miscellaneous Lucene extensions
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\lucene-misc-5.3.1.jar
MD5: 81c0ce56e57f27bf53283dddb8ae7301
SHA1: 7891bbc18b372135c2a52b471075b0bdf5f110ec
Description: Lucene Queries Module
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\lucene-queries-5.3.1.jar
MD5: 232b7d1ba5073a6fbb659565abdc8e38
SHA1: 305665b15a8b9b7840c1b804d1cb694b4177e035
Description:
Spatial Strategies for Apache Lucene
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\lucene-spatial-5.3.1.jar
MD5: 2a08625eca709f859e6bbec8860e3107
SHA1: 1b7fc73a7e24f40cb80cdc87d382fc73f6b8c2be
Description: Lucene Suggest Module
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\lucene-suggest-5.3.1.jar
MD5: 04585b35e85220c6a420a4831b9b2233
SHA1: 3da861f35aeefa786574aecec3272ea5924e45b8
Description: Noggit is the world's fastest streaming JSON parser for Java.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\noggit-0.6.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\org.restlet-2.3.0.jar
MD5: 33a94f74de95421b4938dfecb0029ab1
SHA1: 4c5d184e23fa729726668a90dc7338d80c4e7e6f
Description:
Spatial4j is a general purpose spatial / geospatial ASL licensed open-source Java library. It's
core capabilities are 3-fold: to provide common geospatially-aware shapes, to provide distance
calculations and other math, and to read shapes in WKT format.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\spatial4j-0.4.1.jar
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\zookeeper-3.4.6.jar
Description: A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\antlr-runtime-3.5.jar
MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc
SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\asm-4.1.jar
MD5: fd87b0fa932a63edcc1ef652a9a33258
SHA1: ad568238ee36a820bd6c6806807e8a14ea34684d
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\asm-commons-4.1.jar
MD5: 9a4b40374d11fcb2c5b1d2a4b789e91d
SHA1: f8b86f4ee6e02082f63a658e00eb5506821253c6
Description:
Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\commons-cli-1.2.jar
Description:
Tools to assist in the reading of configuration/preferences files in
various formats
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\commons-configuration-1.6.jar
Description: Apache Commons Exec is a library to reliably execute external processes from within the JVM.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\commons-exec-1.3.jar
Description:
A high performance version of java.util.LinkedHashMap for use as a software cache.
License:
Apache: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\concurrentlinkedhashmap-lru-1.2.jar
Description: Apache Hadoop Auth - Java HTTP SPNEGO
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\hadoop-auth-2.7.2.jar
MD5: 3aa98787a5b66b696c315ff78d61b355
SHA1: bf613cfec06a1f3d3a91d7f82f9e4af75bc01f72
Description: High Performance Primitive Collections.
Fundamental data structures (maps, sets, lists, stacks, queues) generated for
combinations of object and primitive types to conserve JVM memory and speed
up execution.
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\hppc-0.5.2.jar
MD5: 835da0007c0756055b5934d09a0d9cb0
SHA1: 074bcc9d152a928a4ea9ac59a5b45850bf00cd4e
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\htrace-core-3.0.4.jar
MD5: ddb872231eb1940a8f7d5b2b5d026b86
SHA1: d7461828faf28411f37f8570d896292db277d838
Description: Core Jackson abstractions, basic JSON streaming API implementation
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\jackson-core-2.5.4.jar
Description: Support for reading and writing Smile ("binary JSON")
encoded data using Jackson abstractions (streaming API, data binding,
tree model)
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\jackson-dataformat-smile-2.5.4.jar
Description:
Lucene Kuromoji Japanese Morphological Analyzer
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\lucene-analyzers-kuromoji-5.3.1.jar
MD5: 2a661e759f75273347b7e04dd3d666fb
SHA1: 56dc1408e7f98ae569ed17aa02451cb624e88d5f
Description:
Provides phonetic encoding via Commons Codec.
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\lucene-analyzers-phonetic-5.3.1.jar
MD5: 529a4272b3455fb69a9fc540add2cb09
SHA1: 78943ef1718e73973bde9da105885566ad0e07f1
Description:
Codecs for older versions of Lucene.
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\lucene-backward-codecs-5.3.1.jar
MD5: 195d7917cd4078cee52eebecdb167797
SHA1: 380603f537317a78f9d9b7421bc2ac87586cb9a1
Description:
Dynamically computed values to sort/facet/search on based on a pluggable grammar.
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\lucene-expressions-5.3.1.jar
MD5: 864a09977dea28681d198d63b7da5ea5
SHA1: 2e45ba271969611bc3071b19cd164d6986f85825
Description: Lucene Grouping Module
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\lucene-grouping-5.3.1.jar
MD5: 8bc44800a541192958bc7ab5cf16b132
SHA1: 92a68afa9b7be5cbc35ca99f23003dfebc940aa7
Description:
High-performance single-document index to compare against Query
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\lucene-memory-5.3.1.jar
MD5: 671893c9b394b6ee50b920c83c596bd9
SHA1: 07d120aa207de0c422132b951585691e5afa645e
Description: Lucene Sandbox
File Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\lucene-sandbox-5.3.1.jar
MD5: e8a9ce2b4d9a0a4ce22befb6a1d02a6e
SHA1: 2ab2b12bf7bec88b879423898bd32067e3655fa3
Description:
Protocol Buffers are a way of encoding structured data in an efficient yet
extensible format.
License:
New BSD license: http://www.opensource.org/licenses/bsd-license.phpFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\protobuf-java-2.5.0.jar
Description: tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\stax2-api-3.1.4.jar
Description: Data structure which allows accurate estimation of quantiles and related rank statistics
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\t-digest-3.1.jar
Description: Woodstox is a high-performance XML processor that
implements Stax (JSR-173) and SAX2 APIs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\woodstox-core-asl-4.4.1.jar
Description: Woodstox is a high-performance XML processor that implements Stax (JSR-173) API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\webapp\solr\WEB-INF\lib\wstx-asl-3.2.7.jar
File Path: C:\projectsASF\ofbiz\specialpurpose\webpos\build\lib\ofbiz-webpos.jar
MD5: 05a5cedbea230650d675a88d7c47c8c9
SHA1: 1825d39cd90748dfe03d4c7dca7e883b9b228846
File Path: C:\projectsASF\ofbiz\tools\demo-backup\contrast-rO0.jar
MD5: 385d1d5ed6f9556a06c897a999f7fb11
SHA1: 8dc7bcd50e18bea809e78cf5af87a7b5157ad26c
License:
Apache License Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\tools\security\notsoserial\notsoserial-1.0-SNAPSHOT.jar
Description:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\fontbox-1.8.11.jar
CVE-2015-7683 suppressed
Severity:
Medium
CVSS Score: 4.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to AjaxProxy.php.
Vulnerable Software & Versions:
Description: Annotations Package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\annotations-api-3.0.jar
CVE-2016-0763 suppressed
Severity:
Medium
CVSS Score: 6.5
CWE: CWE-264 Permissions, Privileges, and Access Controls
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
Vulnerable Software & Versions: (show all)
CVE-2016-0714 suppressed
Severity:
Medium
CVSS Score: 6.5
CWE: CWE-264 Permissions, Privileges, and Access Controls
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
Vulnerable Software & Versions: (show all)
CVE-2016-0706 suppressed
Severity:
Medium
CVSS Score: 4.0
CWE: CWE-200 Information Exposure
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Vulnerable Software & Versions: (show all)
CVE-2015-5351 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
Vulnerable Software & Versions: (show all)
CVE-2015-5346 suppressed
Severity:
Medium
CVSS Score: 6.8
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
Vulnerable Software & Versions: (show all)
CVE-2015-5345 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
Vulnerable Software & Versions: (show all)
CVE-2015-5174 suppressed
Severity:
Medium
CVSS Score: 4.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Vulnerable Software & Versions: (show all)
CVE-2014-7810 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-284 Improper Access Control
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
Vulnerable Software & Versions: (show all)
CVE-2014-0230 suppressed
Severity:
High
CVSS Score: 7.8
CWE: CWE-399 Resource Management Errors
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
Vulnerable Software & Versions: (show all)
CVE-2014-0227 suppressed
Severity:
Medium
CVSS Score: 6.4
CWE: CWE-19 Data Handling
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
Vulnerable Software & Versions: (show all)
CVE-2014-0119 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
Vulnerable Software & Versions: (show all)
CVE-2014-0099 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-189 Numeric Errors
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
Vulnerable Software & Versions: (show all)
CVE-2014-0096 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
CVE-2014-0075 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-189 Numeric Errors
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
Vulnerable Software & Versions: (show all)
CVE-2013-6357 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."
Vulnerable Software & Versions: (show all)
CVE-2013-4590 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-200 Information Exposure
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
CVE-2013-4444 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
Vulnerable Software & Versions: (show all)
CVE-2013-4322 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
Vulnerable Software & Versions: (show all)
CVE-2013-4286 suppressed
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
Vulnerable Software & Versions: (show all)
CVE-2013-2185 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
CVE-2012-5568 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-16 Configuration
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
Vulnerable Software & Versions: (show all)
CVE-2009-3548 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-255 Credentials Management
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
Vulnerable Software & Versions: (show all)
CVE-2009-2696 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
CVE-2008-0128 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-16 Configuration
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Vulnerable Software & Versions:
CVE-2007-5461 suppressed
Severity:
Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
CVE-2007-2449 suppressed
Severity:
Medium
CVSS Score: 4.3
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
Vulnerable Software & Versions: (show all)
CVE-2007-1358 suppressed
Severity:
Low
CVSS Score: 2.6
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Vulnerable Software & Versions: (show all)
CVE-2007-0450 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Vulnerable Software & Versions: (show all)
CVE-2006-7196 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.
Vulnerable Software & Versions: (show all)
CVE-2005-4838 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
Vulnerable Software & Versions:
CVE-2005-0808 suppressed
Severity:
Medium
CVSS Score: 5.0
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
Vulnerable Software & Versions: (show all)
CVE-2003-0045 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
Vulnerable Software & Versions: (show all)
CVE-2003-0044 suppressed
Severity:
Medium
CVSS Score: 6.8
Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
Vulnerable Software & Versions: (show all)
CVE-2003-0043 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
Vulnerable Software & Versions: (show all)
CVE-2003-0042 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
Vulnerable Software & Versions: (show all)
CVE-2002-2006 suppressed
Severity:
Medium
CVSS Score: 5.0
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
Vulnerable Software & Versions: (show all)
CVE-2002-1148 suppressed
Severity:
Medium
CVSS Score: 5.0
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
Vulnerable Software & Versions: (show all)
CVE-2002-0493 suppressed
Severity:
High
CVSS Score: 7.5
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
CVE-2001-0590 suppressed
Severity:
Medium
CVSS Score: 5.0
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
Vulnerable Software & Versions:
CVE-2000-1210 suppressed
Severity:
Medium
CVSS Score: 5.0
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
Vulnerable Software & Versions:
CVE-2000-0760 suppressed
Severity:
Medium
CVSS Score: 6.4
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
Vulnerable Software & Versions: (show all)
CVE-2000-0672 suppressed
Severity:
Medium
CVSS Score: 5.0
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
Vulnerable Software & Versions: (show all)
Description: Expression language package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\el-api-3.0.jar
CVE-2014-0119 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
Vulnerable Software & Versions: (show all)
CVE-2014-0099 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-189 Numeric Errors
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
Vulnerable Software & Versions: (show all)
CVE-2014-0096 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
CVE-2014-0075 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-189 Numeric Errors
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
Vulnerable Software & Versions: (show all)
CVE-2013-6357 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."
Vulnerable Software & Versions: (show all)
CVE-2013-4590 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-200 Information Exposure
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
CVE-2013-4444 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
Vulnerable Software & Versions: (show all)
CVE-2013-4322 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
Vulnerable Software & Versions: (show all)
CVE-2013-4286 suppressed
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
Vulnerable Software & Versions: (show all)
CVE-2013-2185 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
CVE-2012-5568 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-16 Configuration
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
Vulnerable Software & Versions: (show all)
CVE-2009-3548 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-255 Credentials Management
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
Vulnerable Software & Versions: (show all)
CVE-2009-2696 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
CVE-2008-0128 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-16 Configuration
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Vulnerable Software & Versions:
CVE-2007-5461 suppressed
Severity:
Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
CVE-2007-2449 suppressed
Severity:
Medium
CVSS Score: 4.3
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
Vulnerable Software & Versions: (show all)
CVE-2007-1358 suppressed
Severity:
Low
CVSS Score: 2.6
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Vulnerable Software & Versions: (show all)
CVE-2007-0450 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Vulnerable Software & Versions: (show all)
CVE-2006-7196 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.
Vulnerable Software & Versions: (show all)
CVE-2005-4838 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
Vulnerable Software & Versions:
CVE-2005-0808 suppressed
Severity:
Medium
CVSS Score: 5.0
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
Vulnerable Software & Versions: (show all)
CVE-2003-0045 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
Vulnerable Software & Versions: (show all)
CVE-2003-0044 suppressed
Severity:
Medium
CVSS Score: 6.8
Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
Vulnerable Software & Versions: (show all)
CVE-2003-0043 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
Vulnerable Software & Versions: (show all)
CVE-2003-0042 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
Vulnerable Software & Versions: (show all)
CVE-2002-2006 suppressed
Severity:
Medium
CVSS Score: 5.0
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
Vulnerable Software & Versions: (show all)
CVE-2002-1148 suppressed
Severity:
Medium
CVSS Score: 5.0
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
Vulnerable Software & Versions: (show all)
CVE-2002-0493 suppressed
Severity:
High
CVSS Score: 7.5
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
CVE-2001-0590 suppressed
Severity:
Medium
CVSS Score: 5.0
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
Vulnerable Software & Versions:
CVE-2000-1210 suppressed
Severity:
Medium
CVSS Score: 5.0
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
Vulnerable Software & Versions:
CVE-2000-0760 suppressed
Severity:
Medium
CVSS Score: 6.4
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
Vulnerable Software & Versions: (show all)
CVE-2000-0672 suppressed
Severity:
Medium
CVSS Score: 5.0
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
Vulnerable Software & Versions: (show all)
Description: JSP package
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\jsp-api-2.3.jar
CVE-2013-2185 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
CVE-2009-2696 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
CVE-2007-5461 suppressed
Severity:
Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
CVE-2002-0493 suppressed
Severity:
High
CVSS Score: 7.5
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: javax.servlet package
License:
Apache License, Version 2.0 and
Common Development And Distribution License (CDDL) Version 1.0
:
http://www.apache.org/licenses/LICENSE-2.0.txt and
http://www.opensource.org/licenses/cddl1.txt
File Path: C:\projectsASF\ofbiz\framework\base\lib\j2eespecs\servlet-api-3.1.jarCVE-2014-0119 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
Vulnerable Software & Versions: (show all)
CVE-2014-0099 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-189 Numeric Errors
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
Vulnerable Software & Versions: (show all)
CVE-2014-0096 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-264 Permissions, Privileges, and Access Controls
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
CVE-2014-0075 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-189 Numeric Errors
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
Vulnerable Software & Versions: (show all)
CVE-2013-6357 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-352
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."
Vulnerable Software & Versions: (show all)
CVE-2013-4590 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-200 Information Exposure
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
CVE-2013-4444 suppressed
Severity:
Medium
CVSS Score: 6.8
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
Vulnerable Software & Versions: (show all)
CVE-2013-4322 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
Vulnerable Software & Versions: (show all)
CVE-2013-4286 suppressed
Severity:
Medium
CVSS Score: 5.8
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
Vulnerable Software & Versions: (show all)
CVE-2013-2185 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
CVE-2012-5568 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-16 Configuration
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
Vulnerable Software & Versions: (show all)
CVE-2009-3548 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-255 Credentials Management
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
Vulnerable Software & Versions: (show all)
CVE-2009-2696 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
CVE-2008-0128 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-16 Configuration
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Vulnerable Software & Versions:
CVE-2007-5461 suppressed
Severity:
Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
CVE-2007-2449 suppressed
Severity:
Medium
CVSS Score: 4.3
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
Vulnerable Software & Versions: (show all)
CVE-2007-1358 suppressed
Severity:
Low
CVSS Score: 2.6
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Vulnerable Software & Versions: (show all)
CVE-2007-0450 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Vulnerable Software & Versions: (show all)
CVE-2006-7196 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.
Vulnerable Software & Versions: (show all)
CVE-2005-4838 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
Vulnerable Software & Versions:
CVE-2005-0808 suppressed
Severity:
Medium
CVSS Score: 5.0
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
Vulnerable Software & Versions: (show all)
CVE-2003-0045 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
Vulnerable Software & Versions: (show all)
CVE-2003-0044 suppressed
Severity:
Medium
CVSS Score: 6.8
Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
Vulnerable Software & Versions: (show all)
CVE-2003-0043 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
Vulnerable Software & Versions: (show all)
CVE-2003-0042 suppressed
Severity:
Medium
CVSS Score: 5.0
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
Vulnerable Software & Versions: (show all)
CVE-2002-2006 suppressed
Severity:
Medium
CVSS Score: 5.0
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
Vulnerable Software & Versions: (show all)
CVE-2002-1148 suppressed
Severity:
Medium
CVSS Score: 5.0
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
Vulnerable Software & Versions: (show all)
CVE-2002-0493 suppressed
Severity:
High
CVSS Score: 7.5
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
CVE-2001-0590 suppressed
Severity:
Medium
CVSS Score: 5.0
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
Vulnerable Software & Versions:
CVE-2000-1210 suppressed
Severity:
Medium
CVSS Score: 5.0
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
Vulnerable Software & Versions:
CVE-2000-0760 suppressed
Severity:
Medium
CVSS Score: 6.4
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
Vulnerable Software & Versions: (show all)
CVE-2000-0759 suppressed
Severity:
Medium
CVSS Score: 6.4
Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path.
Vulnerable Software & Versions:
CVE-2000-0672 suppressed
Severity:
Medium
CVSS Score: 5.0
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
Vulnerable Software & Versions: (show all)
Description: JavaMail API
License:
https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: C:\projectsASF\ofbiz\framework\base\lib\mail-1.5.1.jar
CVE-2007-6059 suppressed
Severity:
Medium
CVSS Score: 5.0
CWE: CWE-399 Resource Management Errors
** DISPUTED ** Javamail does not properly handle a series of invalid login attempts in which the same e-mail address is entered as username and password, and the domain portion of this address yields a Java UnknownHostException error, which allows remote attackers to cause a denial of service (connection pool exhaustion) via a large number of requests, resulting in a SQLNestedException. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."
Vulnerable Software & Versions:
Description: Tomcats JSP Parser
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\catalina\lib\tomcat-8.0.33-jasper.jar
CVE-2013-2185 suppressed
Severity:
High
CVSS Score: 7.5
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
CVE-2009-2696 suppressed
Severity:
Medium
CVSS Score: 4.3
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
CVE-2007-5461 suppressed
Severity:
Low
CVSS Score: 3.5
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.
Vulnerable Software & Versions:
CVE-2002-0493 suppressed
Severity:
High
CVSS Score: 7.5
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Description: Apache Geronimo Transaction Manager
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\framework\geronimo\lib\geronimo-transaction-3.1.1.jar
CVE-2008-0732 suppressed
Severity:
Low
CVSS Score: 2.1
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
File Path: C:\projectsASF\ofbiz\framework\images\webapp\images\jquery\plugins\validate\package.json
MD5: 0d0dce7715fe4184364a6f0c10add6f1
SHA1: cfe99f497ed35573d7dfc291068d742399a0eee0
CVE-2007-2379 suppressed
Severity:
Medium
CVSS Score: 5.0
The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."
Vulnerable Software & Versions:
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: C:\projectsASF\ofbiz\specialpurpose\solr\lib\runtime\zookeeper-3.4.6.jar
CVE-2014-0085 suppressed
Severity:
Low
CVSS Score: 2.1
CWE: CWE-255 Credentials Management
Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
Vulnerable Software & Versions: (show all)